Risk Management Cycle Accessible Version
Overview
The Information Security Office facilitates formal, ongoing risk assessments for software, services, and other high-value information resources that need a regular security check-up. Service Evaluations and Risk Assessments help assess, document, and manage security risks posed to university information resources. Each serve a different purpose in the risk management lifecycle.
Service Evaluations
Service Evaluations are conducted by the ISO before things like systems, services, and software are set up and put into use. The ISO reviews information about how a service will be used, what data it will handle, how it can protect that information, and what risks it may present to the university. If necessary, the service is also flagged for annual or biennial, recurring risk assessments. The ISO then creates a data security plan to help ensure the service can be used safely.
Risk Assessments
Risk Assessments are a separate process from service evaluations. They are required for high-value and high-risk services, systems, locations, networks, and workstations to quantify risks they present to the university and to ensure compliance with good practice. Unlike service evaluations, risk assessments must be completed annually or biennially (depending on the risk presented by the service) by the information resource owners and custodians outside of the ISO.
How a Service or Software gets Evaluated:
Procuring new software or services at Texas State university requires a security review, among other things. Below is the general process for how a software or service is handled by the ISO.
-
Software or service is evaluated
All new, and some renewing, software and services must go through a service evaluation. Find out more on the Software and Service Evaluation page. -
Software is either denied or approved
After evaluation, a software or service can be either approved or not. If approved, the ISO will establish a security plan which must be accepted by the Information Resource Owner in order to implement the software or service. -
Monitoring / Maintenance
Once a software or service is implemented, the Information Resource Owners and Information Resource Custodians are responsible for managing permissions, running updates, and reporting security incidents to the ISO as soon as they are discovered. -
Reassessment and Monitoring
The risk profile of a software or service will determine what kind of reassessment cycle may be required. This will be determined at the time of implementation. Ongoing monitoring and reassessment of objects and devices.
-
General FAQs
-
What’s the difference between a service evaluation and an risk assessment?
Service Evaluations are conducted by the Information Security Office, usually before a product, application, or service is used to make sure it can be implemented securely. Risk assessments are primarily completed by the owners and custodians of information resources on a recurring basis after their first year of use to make sure the resources are still secure and to compare their security posture to that of other resources.
-
Why are some services prohibited for use?
Some products are offer a feature lineup similar to in-place services offered by IT, and where there’s redundancy, there isn’t much incremental benefit for the risk that comes with those duplicated services. In other cases, Texas State doesn’t have a business-to-business agreement with the service provider, so there’s neither contractual protection for the information that it may handle nor an ability for effective, enterprise-grade management, support, and oversight.
-
We haven’t had problems before. Why does the ISO need to evaluate my department’s services and run risk assessments?
University policy, state laws that drive policy creation, and best practice all require that the Information Security Office evaluate products prior to procurement or use. The same policies and practices require that the ISO facilitate ongoing risk assessments for certain moderate- and high-risk information resources so the risks posed by their use can be measured and mitigated as appropriate.
-
Are service evaluations and risk assessments required for departments outside of IT?
Yes, both service evaluations and risk assessments are required by university-level policy.
-
Are service evaluations and risk assessments required for grant-funded operations and research?
Yes, both service evaluations and risk assessments are required by university-level policy. Teams under the Office of Research and Sponsored Programs may also require additional procedures that involve the ISO to help ensure the goals of a grant or project can be met while protecting the information involved.
-
-
Service Evaluation FAQs
-
I’ve used this product for years. Why is the service evaluation form only required now?
The Information Security Office has not yet been able to evaluate all of the institution’s products and services under its current processes. Historic purchases may have been evaluated under different criteria, or the way in which they were purchased may have prevented the ISO from learning about it until later.
-
Why do I have to fill out the “new” service evaluation request form when renewing software?
The request form helps provide the ISO with accurate information about how you or your department use the software or service, including the types of data involved and how many users there will be.
-
I need to get this product yesterday. Can the evaluation go any faster?
If a request is particularly urgent, please let the ISO know. Some parts of the review can be expedited based on requesters’ timelines; however, some portions rely on vendors’ diligence and willingness to provide the information needed to conduct the evaluation.
-
This product is free; do I still need a service evaluation?
In most cases, yes, if for nothing else than product and risk inventory purposes. Even free and open-source products often come with terms of use that could have negative consequences for the university. Unfortunately, even free products have the potential be the cause of a major incident.
-
What’s a HECVAT, and why do I need request one from my vendor?
Developed by members of EDUCAUSE, the HECVAT (short for “Higher Education Cloud Vendor Assessment Tool”) is a standardized self-assessment intended for vendors to complete for prospective, higher-education customers. The HECVAT is intended to provide the ISO nearly all the information needed to assess a vendor’s security posture to help ensure it’s an appropriate tool for the job and place for the data it will handle.
-
My colleague uses this same software in their department, so why do I need to fill out the form?
Just as different departments have different business processes, they may also use software and services differently from one another. Contextual information, including classification of data that will be handled, can make a big difference in whether a product can be authorized. In other words, something authorized for handling small volumes of public information may not have a security posture commensurate for high volumes of confidential data.
-
Do I have to be sure I want to buy or use a service for the ISO to evaluate it?
No, the ISO can begin an evaluation at any time in your selection process well ahead of a purchasing decision being made. If a department is still narrowing their field of options, the ISO would prefer to evaluate only the front-runners to prevent wasted time and efforts.
-
Do service evaluations cost my department any money?
No, the ISO does not charge back for service evaluations.
-
-
Ongoing Risk Assessment FAQs
-
How can I access Beacon?
Go to the Beacon login page and log on with your NetID and password. Beacon is only accessible from the campus network and the Remote Access VPN portal.
-
Why do I need to participate in risk assessments? Can’t the ISO answer the risk assessment questions instead?
State administrative code (Texas Administrative Code 202.72.1.A.H and 202.75) requires that information resource owners participate in risk assessments of the resources for which they are responsible. The ISO helps facilitate this process through formalized risk assessments and the service evaluation process, but the ISO cannot answer resource-specific questions on behalf of information resource owners.
-
Someone from IT helped me set up this service. Can they do this risk assessment instead?
Information resource owners are required to participate in the risk assessment process. Formal and informal (university-employed) information resource custodians may, however, assist with answering questions and providing background information. The ISO can also help provide clarification as necessary.
-
I’m not the right person in my department to be running this risk assessment. What do I do?
Please contact the ISO as soon as possible at InfoSecGRC@txstate.edu so documentation can be updated and the proper contact identified.
-
My service is running in one of IT’s datacenters. Does it still need a risk assessment?
This answer depends on a number of factors, including the type and volume of information handled by your service, as well as the impact an incident related to it could have on the institution.
-
Can I reschedule this risk assessment?
At least one assessment must be completed before November of 2020 to maintain compliance with State of Texas administrative code. Once that’s done, the next annual assessment can be scheduled at any point in following year.
-
My service has been used for years and hasn’t needed a risk assessment. Why do I need one this year?
There are a few possible reasons. A formal service evaluation may not have been previously conducted, or the risk presented by your product may have changed relative to other contemporary services.
-
This service was decommissioned. Does it still need a risk assessment?
Probably not. Contact InfoSecGRC@txstate.edu with more information about how and when the product was decommissioned.
-
What happens with this information?
Information gathered by ongoing risk assessments are used by the ISO to gain a holistic, quantifiable image of the security risks presented to the university and to address one-off findings as well as potential “hot spots” that may be common across several services. Information about these security risks are also reported in varying detail to the university’s President, the Vice President of IT, and the rest of the president’s cabinet, along with the State’s Department of Information Resources.
-
Can I request more frequent risk assessments?
Absolutely. Please contact InfoSecGRC@txstate.edu with your request.
-
Can risk assessments be set up for a service, system, network, location, or computer that hasn’t needed one before?
In almost every case, yes. Please contact InfoSecGRC@txstate.edu with your request and more information about the assessable objects for which ongoing risk assessments should be scheduled.
-